states with 47 different data-breach
response laws, which have a lot of
consistencies but some of which are
wildly inconsistent,” Garfinkel said.

These state laws vary in how
customers should be notified of a
breach, how soon they need to be
notified and whether a hotel should
have a written information security
plan prior to any breach. Complicating matters further, when a breach
does occur, a hotel is not beholden
to the laws of the state in which it’s
headquartered or even to the laws
of the state in which breaches occurred. Instead, hotels must follow
the notification laws of the state in
which each individual guest resides.
“If a hotel has a data breach and
people from 25 different states have
stayed at the hotel during the time
of the breach and are affected by the
breach,” Garfinkel said, “the hotel,
by statute, must comply with all 25
of those state’s laws when it comes
to responding to the breach.”

What can travel managers do?

The onslaught of threats from cybercriminals can cause fatigue in travel
managers.

“I always have concerns about mepersonally and any of our travelers;they all have individual cards,” saidChristel Peterson, corporate servicesand travel manager associate at Exp.“But I don’t think in this tech worldthere’s any way around it.”To protect their travelers and toensure hotels take the proper steps inprotecting their security, travel man-agers can start by putting special pro-visions in their hotel contracts.

Garfinkel, who reviews sales contracts for his hotel clients for both
meetings and transient business, said
in the past two years he’s seen an up-tick in the number of companies putting special data-security riders into
their contracts.

“They say, ‘As part of all this andthe money we’re going to pay youfor having our [business] at thehotel, you also agree that your ho-tel is compliant with PCI, that yourhotel’s data-security measures obeyor comply with applicable law andthat you will use the utmost care inhandling our individual employees’personal identifying information,”he explained. “You could even haveindemnification provisions if theinformation is stolen while in thehotel’s possession.”In 2014, Interpublic Group vicepresident of global travel and corpo-rate card services Fran McClarnontold Business Travel News she had be-gun requiring a $10 million indem-nification from suppliers that handle

out pretty rapidly. They have a credit card,name, address, maybe a date of birth. Nowthey’re really close to getting a social secu-rity number.”As SNDR founder and CEO Shaun Murphyputs it, “Hackers are in this for the long con.

Every bit of data they get on you, it’s just adding to the bigger picture.”

BUSINESS TRAVELERS SHOULD
REMAIN VIGILANT

Although people continually are warned not
to use the same username and password for
multiple accounts, they do. It’s understandable;

it’s difficult to keep track of so many username
and password combinations.

Liable or not, corporations are wise to encourage or even require travelers to diversify
security credentials related to corporate travel
and card and to remain vigilant with their
personal information.

Even if the loyalty program doesn’t tie to
a credit card or date of birth, bank and email
accounts that share the same username and
password might. Hackers’ initially aimed to
drain accounts of points, trade them for tangible goods like airline tickets and hotel stays
and resell those for cash, but their goals have
become loftier.

Once the hackers are inside a merchant’snetwork, even if it’s just the loyalty scheme,“it’s pretty easy for the criminal to jump orhop into other parts of the network if theydon’t have the segregation that they needbetween the nonpayment and the paymentside of the business,” said Verifone chiefsecurity officer Joe Majka. “Once they geta foothold into the nonpayment side, theybegin to scan the networks. What they’relooking for is the admin ID and credential.Once they capture that, it gives them thekeys to the kingdom that allows them toaccess any part of that network.”—Additional reporting by Julie Sickelher company’s data consolidationand reporting.This year, the company specifical-ly assigned a resource to ensure allairline contracts worth over $5 mil-lion of spend include clauses thataddress data security and privacy,regardless of whether the contractsare up for renewal or not. Airlineswith renewal contracts have so faradhered to her requests. “We givethem enough business. If they’reworried about losing it, they usuallytry to compromise and come to thetable with a solution and typicallywe get what we need,” she said.

Interpublic has stopped short of
requiring the same from hotels, in
large part due to the fact that transient travel contracts are negotiated
through a tool, not a legal, signed
document. This makes it nearly
impossible to insert an addendum,
according to McClarnon. But she
believes suppliers are taking data
security more seriously as a result
of corporations like hers taking it
more seriously.

Garfinkel would encourage travel
buyers to keep pressing for change
both on transient and group contracts. “It really depends on your
negotiating power,” individually, yes,
but also as an industry.